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ADMARISTVTUcRNTERNAL USE ON ge Roxisty 


30 MAY 1974 


MEMORANDUM FOR: Legislative Counsel 


SUBJECT : Comments on S. 3418--Federal.Privacy Board 


1. Because of the length of this. bill, as well as the 
possibility that the Agency would. be exempt: from its. provisions, 
we are setting forth in this memorandum a few comments on 
potential problem areas and are attaching .as an annex a 
summary of its detailed provisions... 


2. The bill would establish a Federal Privacy Board, 
with five members appointed by the President. and confirmed 
by the Senate. The Board would.publish annually a Data Base 
Directory of the United States, containing data on all personal 
information systems. Several powers for. implementing the 
provisions of the bill are given to. the Board, and it would 
report annually to the Congress andthe President. 


3. Detailed requirements and procedures for Federal 
agencies, state and local governments,. and all non-governmental 
organizations are set forth, and there are several special 
requirements for Federal agencies. only. . All covered organi- 
zations must give annual notice to the Board and the information 
required is very detailed. Organizations must notify persons 
on whom they have information of this fact and obtain their 
consent for certain transactions, and the individuals can 
correct or update this information... 


4. The Act would not apply. to personal information systems 
maintained by a Federal agency whose head. determines that 
release of such information would seriously..damage the national 
defense. Also exempted are criminal investigatory files of 
law enforcement agencies (with some..caveats). and the files 
of the press and news media (except.for files on their employees). 


5. There is a special clause forbidding any organization 


to require an individual to disclose. his.sacial security 
number in connection with commercial. and.other transactions. 
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6. There are the usual sections..on. criminal penalties and 
civil remedies, as well as definitions. of key terms. 


7, If the Director can in fact exempt. the Agency's 
personal information files and. records. from.the..provisions 
of this Act, then it presents no difficult. problem,. as. there 
do not appear to be any records. the. disclosure of which would 
not damage the national defense,-.--- ++ 9+ > zane 


8. On the other hand, if for any -reason.the. Agency should 
be determined to be subject to this Act, with all.the require-— 
ments for notification and reporting:--to the Federal Privacy 
Board, the general public, and te.xthe individuals on whom the 
Agency maintains personal information, it would be .in deep 
trouble. For example, there is the requirement affording any 
foreign national, whether or not residing in the United States, 
the same rights under this Act as American citizens. would have. 
There is the maintenance (internally) of lists of all persons 
(Agency employees) having regular access. to the personal infor- 
mation in the system. Annually, the Agency would have to 
prepare the very detailed notice for the Board, including 
information on the procedures whereby an individual may be 
informed of information on him and how he.can contest its 
accuracy. Very little could be done with Agency-held personal 
information without the consent of the subject individual and 
he would be entitled to know the source of such data. In 
other words, all these detailed provisions. would hamstring 
the Agency in operating its information systems and would 
endanger the security of its operation. age 
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Comments on S. 3418--Federal Privacy Board 


1. This bill would establish in the executive branch 
a Federal Privacy Board, consisting of five members appointed 
by the President and confirmed by the Senate. . These members 
would be from the public at large, exclusive of officials or 
employees of the U. S. Government. They would be paid as 
GS-18's and would be forbidden from engaging in any other 
employment during their three-year. terms. 


2. The Board would publish an.annual Data Base Directory 
of the U. S. containing data on each personal information 
system. The Board would also consult with heads of departments/ 
agencies in implementing the provisions of the Act, make rules 
to assure compliance with the Act, and conduct research ; 
activities as may be necessary to implement the Act and assist 
organizations in complying with its requirements. 


3. The Board would be authorized as follows: 


a. to be granted admission at reasonable 
hours to premises where any information system, 
computers, or equipment or recordings for auto- 
matic data processing are kept, and may compel 
the production of documents relating to. such 
information system or processing; : 


b. to order an organization found to be 
violating the Act to cease and desist. from such 
violation; ; 


c. to delegate its authority with respect 
to information systems within a State (or D. C.) 
when satisfied that the State is enforcing the 
Act satisfactorily; , 8 bo ' 


d. to hear petitions for exceptions or 
exemptions to the Act, (only authorized response 
is recommendation of action to Congress); and 


e. to the fullest extent. possible consult 
with heads of departments/agencies of Government 
in implementing the functions of the Board. 


4. The Board would report. annually. on its activities to 
the Congress and to the President... ©... 


5. Any Federal agency, State or local government, or 
any organization maintaining an information system including 
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personal information would be responsible for. the following: 


a. collect, maintain, use.and disseminate 
only personal information necessary..to. accomplish 
a proper purpose of the organization; 


b. get the information from the aun ece é 
directly when possible; “d 


c. have categories of information for. use 
in confidentiality requirements. and. access controls; 


d. maintain information with accuracy, 
completeness, timeliness and pertinence to | 
assure fairness to subject; - — rs 


e. make no dissemination to another system 
without specifying security and. use limits, and 
determining that it is likely. aeee eae be 
observed; es 


f. transfer no personal information outside 
the United States unless a treaty. or executive 
agreement guarantees compliance with this Act; 


g. afford any foreign national, whether 
residing in the United States or not, the. same 
rights under this Act as U. S.. citizens wold 
have; 


h. maintain a list of all. persons. having regular 
access to personal gutonneeics, in the.information. . 
system; : . 


i. maintain complete records of..access to 
personal information by si ari ti mevaee lela 
access authority; - 


j. establish rules of ceaduct and infora 
each person involved in any aspect. of running the 
system of the requirements of this Act; ... - 


k. establish safeguards to reasonably. assure 
the system's security; a 7 rz 


1. on receipt of written.complaint, take 
steps to remove complainant's name idee any mailing 
list of the organization; and 
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m. collect no personal information con- 
cerning religious or political beliefs, 
affiliations, and activities unless. sotiorived 

y law. 


6. Any such organization maintaining an information 
system that disseminates statistical reports or research , 
findings based on personal information drawn from the system 
would have to make available to any data subject or group 
the methodology necessary to validate statistical analyses, 
and make no such materials available for independent analysis 
without guarantees that no personal information would be 
used in such a way as might prejudice judgments about any 
data subject. 


9. No Federal agency should: 


a. require any individual.to disclose 
for statistical purposes any personal infor- 
mation unless such disclosure is required by 
law and the individual is paforned) of such 
requirement ; 


b. request any individual to voluntarily 
disclose personal information unless. such 
request is specifically authorized by law 
and the individual is advised that suet 
disclosure is voluntary; 


c. make available to any unauthorized 
Federal employee any study or reports derived 
from any file containing personal information 
except those prepared, published and made 
available for general public use; or 


d. publish statistics of taxpayer income 
classified on the basis of a coding system for 
the delivery of mail. 


8. Any such organization (Federal, State or other) 
maintaining an information system for personal information 
would have to: 


a. give annually to the Federal Privacy 
Board notice of the existence of such a system; 


b. give public notice annually of the 
existence and character of such system (Federal 
organizations in the Federal RERSSCOT: other 
organizations in local media);.. 
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c. in case of a new system or substantial 
modification of an existing system, give public 
notice and notice to the Federal. alee ig Board 
in not less than three months;.--and.. 


d. be sure that the public notice anetuce? 
the following: Pp rrrrce 


(1) the name of the system;. 


(2) the general purpose of -the 
system; . 


the categories of personal 
information and approximate 
number of persons on whom . 
information is maintained; 


the categories of information 
maintained, confidentiality. 
requirements, and access controls; 


the organization's policies 
regarding information storage, 
duration of retention of infor- 
mation, and purging of such anton: 
mation; 


the categories of information 
sources; 


a description of types of use 

made of the information, including 
all classes of users, and organi-. 
zational relationships among them; 


the procedures whereby..an individual 
may be informed if information on 
him is in the system, how he can 
gain access to the information, and. 
how he can contest the accuracy, 
completeness, timeliness, pertinence, 
and necessity for retention of the 
information; 


the procedures whereby an individual 

or group can gain access to the 
information system used for statis- 
tical reporting or research in order 

to subject them to independent analysis; 
and 
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the business address and. 
telephone number of the person 
immediately responsible for 
the systen. . 


9. Any organization maintaining personal information 
should: a2 


a. inform any individual..asked..to. supply | 
personal information whether it.is required by. 
law or may be refused, and the specific con- 
sequences of providing or not. providing. the 
information; agit 


b. request permission of .a data subject 
to disseminate all or part of-the information . 
to another system not having regular access 
authority, and indicate the use -intended and 
the specific consequences to the individual; | 


c. grant to a data subject the right to 
inspect (1) all personal information about — 
him, (2) the sources of the information, (3) 
and who receives the information; 


d, make the disclosures required by the 
Act to data subjects (1) during normal 
business hours, (2) in person or by mail, 
on proper identification, at reasonable 
standard charges for document. search and 
duplication, and (3) permit the data sub- 
ject to be accompanied by one person of his 
choosing; ; 


e. when advised that a data subject... 
wishes to in any way modify the information 
ee him in the system, the organizdtion 
shall: ~ 


(1) investigate and record the . 
current status of such infor- 
mation; 


(2) purge any incomplete, inaccurate, 
nonpertinent, nontimely, unneces- 
sary, or unverifiable information; 


(3) include in the record a state- 
ment of the data subject as.to 
his position on any disputed 
portion of the information; 
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in any dissemination.of the 
disputed information, note 
that fact and include the. 
subject's statement; 


make plain to each individual. . 
his right to make a request... 
under this paragraph; 


-on subject's request, not ify. ee 
past recipients of any purging... 
or correction of the information ;. 
and 7 


advise the individual of. his. 
right to assistance from the. 
Federal Privacy Board in case... 
of unresolved disputes. ----" 


10. Each organization maintaining. a_personal information 
system when this Act is enacted would have to. notify by mail 
each data subject of that fact, including (a). the type of 
information held and its expected.uses, and (b) the name and 
address of the place where he. could. obtain. the personal infor- 
mation pertaining to him in the system... 


11. Data subjects of archival-type. inactive records 
should be notified by mail of the reactivation of such files | 


within six months after enactment of this Act. 


12. Certain specific subsections ofthis Act would not 
apply to any organization which maintains.an information 
system disseminating statistical reports. based on personal 
information drawn from that system..(or those. of other organi- 
zations); purges the names, numbers or other. identifying 
particulars of individuals; and certifies to the-Federal 
Privacy Board that no inferences. may be. drawn about any 
individual. Soom eects : 


13. This Act would not apply. to personal information 
systems: Saat 


a. to the extent that such system is 
maintained by a Federal agency whose head 


determines that the release of the. information . 
would seriously damage national defense; 
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b. which are part of active criminal 
investigatory files of law enforcement agencies 
(except where the files have.-been. maintained 
longer than necessary to begin. criminal 
prosecution); or ie tn eee: 


c. which are maintained by press.and 
news media (except information relating. to 
employees of such organizations}... - ahaa 


14. It would be unlawful for any organization to 
require an individual to disclose his.-social. security 
number in connection with any commercial activity, or to 
refuse to extend credit, make a loan, or enter into any 
other business/commercial relationship with an individual 
who does not disclose such number,.unless disclosure is 
required by law. (This does not apply in the adminis- 
tration of the insurance programs under Title II of the 
Social Security Act.) he ) Sabb : 


15. Among the miscellaneous provisions of the Act 
are definitions for several key terms used therein, such as 
"information system," "personal information," "data subject," 
“organization,” "purge," and "Federal. Agency." Also, no 
organization could reveal any professional, proprietary or 
business secrets except as required under. the Act. - 


16. Criminal penalties (fine up-to. $10,000, imprisonment 
not more than five years, or. both) are. prescribed for an 
organization or a responsible officer of. same who. (a) keeps 
an information system without notifying. the Federal Privacy 
Board or (b) issues personal information in violation of the 
Act. om 


17. Civil remedies include the following: 


a. the Attorney General (on advice of the Board 
or any aggrieved person) may bring..a.court action 
against any alleged violator.or. potential violator 
of the Act; and Pb mag he axed 


b. any person who violates the Act is liable 
to an aggrieved person for actual damages, punitive 
damages (when appropriate), and reasonable attorneys' 
fees. The United States consents to be. sued under 
this section of the Act. Ane ee Siecle ae ne 
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18. Any individual who is. denied access to information 
required to be disclosed under this Act is entitled to 


judicial review of the grounds for such denial. The District 
Courts of the United States have jurisdiction in such cases. 


19. The effective date would be one ser after 
enactment of this Act. 
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